Return
-
Title
Minimal Rights and Permissions Required for InTrust Operations -
Description
Minimal Rights and Permissions Required for InTrust Operations
-
Cause
N/A -
Resolution
Minimal Rights and Permissions Required for InTrust Operations
Operation or Account Permissions or Database Roles Notes Run InTrust suite setup Setup must be launched under the account that: - Is a member of the local Administrators group on the computer where it is run.
- Has a dbo role for all InTrust databases (or access rights for these databases at least as prescribed by this table).
When installing the second (and following) InTrust Servers into your InTrust Organization, check that the setup account is included into InTrust Organization Administrators (use the properties of InTrust Manager root node). To install the reports from the Knowledge Packs you select, the following is required:
- Membership in the local Administrators group on the computer where the reports are to be installed
- Content Manager role for the Home folder in SQL Server Reporting Services.
- System Administrator site-level role in SQL Server Reporting Services (for creating item-level roles and shared schedule)
- Use the Reporting Services Report Manager to assign the required roles with Security settings for each item you need.
- If turned on on Windows Vista or 2008 computer, User Access Control (UAC) may prevent installation packages from running properly. To avoid possible problems, Report Packs should be installed under the local administrator’s account (for that, either re-logon, or use runas command).
To provide automatic creation of Service Connection Point (SCP) by InTrust means, you should perform the following before the setup: Create a container"CN=Quest InTrust, CN=System..." and assign the following rights for this container for the account under which you will run the setup:
- Create All Child Objects
- Read Permissions
- Modify Permissions
-OR-
Specify the following permissions for the "CN=System..." in the Active Directory configuration partition for the account under which you will run the setup:
- Create All Child Objects
- Read Permissions
- Modify Permissions
- Read All Properties
- Write All Properties
These permissions must be applied onto This object and all child objects scope.
The account that performs uninstallation of InTrust Server must have the Delete All Child Objects permission on the "CN=Quest InTrust, CN=System..." container to delete the SCP.
If you need to change an account after the InTrust installation, use the adcsrvacc command-line utility. For more details, see the User Guide.
InTrust Server account - Membership in the local Administrators group on the computer where InTrust Server runs
- The following security settings must be turned on:
- Log on as a service
- Adjust memory quotas for a process
- Replace a process level token
Install agent Membership in the local Administrators group on the agent computer The Admin$ share must exist on the target computer if you are installing the agent using InTrust. Agent account Membership in the local Administrators group,
-OR-
LocalSystem accountUse the InTrust Manager snap-in Membership in the AMS Readers computer local group on the InTrust Server To view InTrust configuration objects in InTrust Manager, a user must be a member of the AMS Readers local group on the InTrust Server, or an InTrust organization administrator (included in the list in the properties of the root node in InTrust Manager). Access the configuration database ADCCfgUser role for the configuration database This role is created by setup or by the configdb.sql script and is granted the following permissions: - CREATE TABLE (at the database level)
- INSERT,SELECT,DELETE,UPDATE on all user tables in the database
- EXECUTE on all user stored procedures in the database
Gather events from site computers without agents - Full control permission to the InTrust Server installation folder.
- Access this computer from the network
- Manage auditing and security log (required to gather the Security log only)
To gather events from an event log on a Windows Server 2003 or Windows XP computer with event log security through aGPO or registry settings, Read access permission must be given in the ACE of appropriate log(s) to the account used to run a job. For details refer to Microsoft KB article 323076. Gather events from site computers with agents Full control permission to the InTrust Server installation folder. To gather events from an event log on a Windows Server 2003 or Windows XP computer with event log security through aGPO or registry settings, Read access permission must be given in the ACE of the appropriate log(s) to the account of the agent. For details refer to Microsoft KB article 323076. Store events in a repository Modify permission to the repository If a repository is accessed under the account specified explicitly (for repository, job or task account), membership in AMS Readers computer local group on the InTrust Server and Log on as a batch job right on the InTrust Server is required for that account.
Consolidate repositories - Full control permission to the InTrust Server installation folder.
- Read permission to the source repository
- Modify permission to the target repository
Import data from a repository - Full control permission to the InTrust Server installation folder.
- Read permission to the repository
Clean up a repository Modify permission to the repository Store events in an audit database (gathering or import) InTrust Gathering role for the Audit Database This role is created by setup or by the auditdb.sql script. Clean up an audit database To clean up all events
db_owner role for the audit databaseTo clean up part of the events (for specific time periods)
InTrust AuditDB Cleanup role for the audit databaseThis role is created by setup or by the auditdb.sql script. Run reporting job or work with reports in Quest Knowledge Portal (without using Report Builder) - Content Manager role for the QKP\SharedDatasources folder and for the folder where the report is located (under \QKP folder) in SQL Reporting Services.
- Browser role for the Home folder in SQL Reporting Services.
- Reporting Console User role for the account that will be used to connect to the database.
- Read permission for the %WinDir%.
- For a reporting job, this account is specified when setting the Credentials in the job properties.
- For account that will be used to work with the Knowledge Portal, use Data Source properties to assign the required credentials.
Note that this account must belong to the same domain where SSRS (hosting Knowledge Portal) is installed, otherwise membership in the Authenticated Users group (for SRS' domain) is required.
Add reports to a reporting job - Read permission for the %WinDir%.
- db_datareader role for the database selected as the data source for reporting.
- For the Home folder in Reporting Services: Browser role.
Run reporting job using Import objects from the repository option Rights and permissions required for both import and reporting jobs, sufficient rights for connection to the audit database. For detailed list of rights and permissions required and security settings their usage depends on, refer to Report-driven Data Import section of the InTrust User Guide. Create reports interactively using Report Builder System User or System Administrator role for the web site where the Knowledge Portal application runs. This role can be assigned using SQL Reporting Services Report Manager (site-level security settings). Store alerts in an alert database InTrust Real-Time Monitoring role for the alert database This role is created by setup or by the alertdb.sql script. Clean up an alert database InTrust AlertDB Cleanup role for the Alert Database This role is created by setup or by the alertdb.sql script. Manage alerts from InTrust Monitoring Console InTrust Monitoring Console role for the alert database This role is created by setup or by the alertdb.sql script. Create and edit a profile in Monitoring Console Administrator role for COM+ System Application on the computer where the Monitoring Console runs. To check if you have this role, open the Component Services MMC snap-in on the computer with Monitoring Console, and view the Computers | My Computer | COM+ Applications | System Application | Roles | Administrator | Users node. Connect to an alert database using SQL Server authentication For a profile to use SQL Server authentication when connecting to the alert database, the Run As account should be included into local Administrators group on the computer where the Monitoring Console is installed. Perform indexing of idle repository with standalone IndexingTool.exe Both on the repository folder and on the index folder, for the account that perform indexing: - Read and Modify file system permissions
- If the repository and index folders are shared: Read and Change share permissions
Perform indexing of a production repository - On the index folder, for the InTrust Server account:
Read and Modify file system permissions. If the index folder is shared: Read and Change share permissions. - On the repository folder, for the indexing account: Read and Modify file system permissions. If the repository folder is shared: Read and Change share permissions.
- Active Directory delegation must be enabled for the following:
- The account of the InTrust server that manages the repository
- The user accounts that perform indexing
- The user account that performs indexing must be a member of the computer local AMS Readers group on the InTrust Server that manages the repository and on the InTrust server that Repository Viewer connects to (these may be two different servers).
- If the value of the IDX_IndexAccessCheckMode is 1 (not the default 0), then the file system and share permissions required for the repository are also required for the index. This is because index access permissions are verified using a file in the repository. The Quest InTrust Server service account should be granted Read and Modify file system permissions to the repository folder (Read and Change share permissions if the repository folder is shared).
Open an idle repository in Repository Viewer Both on the repository folder and on the index folder, for the account used to open Repository Viewer: - Read file system permission
- If the repository and index folders are shared: Read share permission
Open a production repository in Repository Viewer - On the repository folder, for the account used to open Repository Viewer:
- Read file system permission
- If the repository folder is shared: Read share permission.
- InTrust Server service account must have the Read file system permission on the index folder
- Active Directory delegation must be enabled for the following:
- The account of the InTrust server that manages the repository
- The user account that Repository Viewer is running under
- The user account that Repository Viewer is running under must be a member of the computer local AMS Readers group on the InTrust Server that manages the repository and on the InTrust server that Repository Viewer connects to (these may be two different servers).
- If the value of the IDX_IndexAccessCheckMode is 1 (not the default 0), then the file system and share permissions required for the repository are also required for the index. This is because index access permissions are verified using a file in the repository. The Quest InTrust Server service account should be granted Read and Modify file system permissions to the repository folder (Read and Change share permissions if the repository folder is shared).
-
Additional Information
For information on specifying the accounts, permissions, and database roles, see the InTrust Installation and Configuration Guide and InTrust User Guide. For details about configuration scripts, see the InTrust Upgrade Path document.